Gpass Statement on Security

Our infrastructure and security team includes people who've played lead roles in designing, building, and operating highly secure Internet facing systems.

We work closely with the best partners we can find — like amazon for hosting and Stripe for payments — that focus exclusively on maintaining leadership in their particular areas of security expertise.

Most importantly, we respect your privacy and the security of your records. Everything we do at Gpass is built around that respect and designed to maintain your privacy and security. We would never do anything with your data that we wouldn't be proud to tell the world about.

As you continue to learn more about Gpass, we recommend you also review our Terms of Use and Privacy Policy.

Infrastructure
• Gpass runs in cloud servers in AWS, whom we believe to be the best in the business at managing secure cloud services. Gpass does not run its own routers, load balancers, DNS servers, or physical servers.
• All our hosted services and data are managed in AWS facilities in the USA. Our hosted services have been built with disaster recovery in mind.
• All Gpass hosted servers are within a virtual private cloud (VPC) with network access control lists (ACL's), firewalls, and an Intrusion Detection System (IDS) that together help prevent any unauthorized requests.
• The Gpass services are protected by Cloudflare, which secures and ensures the reliability of our websites, APIs, and applications.

Service Levels
For our Gpass hosted services, we have uptime of 99.9% or higher.

Data Security
• All customer data is stored in the USA.
• Customer data is stored in multi-tenant datastores; we do not have individual datastores for each customer. All data is stored using 256-bit AES encryption with multiple keys. We maintain strict privacy controls in our application code to ensure data privacy. We have regular unit and integration tests to ensure these privacy controls work as expected.

Data Transfer
• Our API and application endpoints are TLS/SSL only and score an “A” rating on SSL Labs' tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

Authentication
• Gpass is served 100% over https and authenticated using your Google account
• There are no corporate resources or additional privileges from being on Gpass network.
• We maintain and enforce strong password policies.

Application Monitoring
• On an application level, we produce audit logs for all activity.
• All access to Gpass applications is logged and audited.
• All actions taken on production consoles or in the Gpass application are logged.

Build Process Automation
• We have automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
• We typically deploy code to the production environment multiple times a week.

Security Audits
• We engage with well-regarded “white hats” and independent services to audit our code base and work with us to resolve potential issues.
• Our ongoing auditing process allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.

Compliance
• Gpass complies with the U.S.-E.U. Safe Harbor Framework and the U.S.- Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from European Union member countries and Switzerland.
• Gpass has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.

PCI Obligations
Gpass is not subject to PCI as all payment instrument processing is performed by a trusted partner that focuses exclusively on secure payment processing, Stripe.